Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-16415

possible xss issue in servicebuilder generated code / escapedModel

    Details

    • Fix Priority:
      4

      Description

      Context: Book is a service builder generated entity/service. Among other properties it has a localizeable property (title). When this is output to a jsp with liferay-ui:serarch-container, the escapedModel declaration doesn't work as expected:

      <liferay-ui:search-container-row
      className="com.liferay.training.library.model.Book"
      keyProperty="bookId"
      modelVar="book"
      escapedModel="true"
      >
      <liferay-ui:search-container-column-text
      name="title"
      value="<%= book.getTitle(locale) %>"
      />
      .....

      This works for other properties of the book, like author, and properly escapes it. However, the localized property 'title' doesn't seem to be escaped. Debugging into BookModelImpl confirms this:

      public String getTitle(String languageId) {
      String value = LocalizationUtil.getLocalization(getTitle(), languageId);

      if (isEscapedModel())

      { return HtmlUtil.escape(value); }

      else

      { return value; }

      }

      isEscapedModel returns false.

      If I'm fixing the issue in the jsp above with HtmlUtil.escape(book.getTitle(locale)) and this issue gets fixed, I have escaped the content twice. So this means that fixing this bug might break existing code (where developer manually escaped) or fix such code (where they expected escapedModel="true" to do the work for them)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              olaf.kock Olaf Kock
              Reporter:
              olaf.kock Olaf Kock
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                10 years, 34 weeks, 5 days ago

                  Packages

                  Version Package
                  6.1.20 EE GA2